From: Chris Wright <chrisw@sous-sol.org>
Date: Mon, 4 Dec 2006 23:35:48 +0000 (-0800)
Subject: do_coredump fix for setuid core dump mode from Alexey Dobriyan
X-Git-Tag: v2.6.19.1~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d509e8501096f9127444b291ae65cfb54c78eb6b;p=thirdparty%2Fkernel%2Fstable-queue.git

do_coredump fix for setuid core dump mode from Alexey Dobriyan
---

diff --git a/queue-2.6.19/do_coredump-and-not-stopping-rewrite-attacks.patch b/queue-2.6.19/do_coredump-and-not-stopping-rewrite-attacks.patch
new file mode 100644
index 00000000000..4e554707f5e
--- /dev/null
+++ b/queue-2.6.19/do_coredump-and-not-stopping-rewrite-attacks.patch
@@ -0,0 +1,44 @@
+From linux-kernel-owner+chrisw=40sous-sol.org-S1031791AbWLBU6v@vger.kernel.org  Sat Dec  2 13:03:34 2006
+Date: 	Sat, 2 Dec 2006 23:58:49 +0300
+From: Alexey Dobriyan <adobriyan@gmail.com>
+To: linux-kernel@vger.kernel.org
+Subject: do_coredump() and not stopping rewrite attacks?
+
+On Sat, Dec 02, 2006 at 11:47:44PM +0300, Alexey Dobriyan wrote:
+> David Binderman compiled 2.6.19 with icc and grepped for "was set but never
+> used". Many warnings are on
+> 	http://coderock.org/kj/unused-2.6.19-fs
+
+Heh, the very first line:
+fs/exec.c(1465): remark #593: variable "flag" was set but never used
+
+fs/exec.c:
+  1477		/*
+  1478		 *	We cannot trust fsuid as being the "true" uid of the
+  1479		 *	process nor do we know its entire history. We only know it
+  1480		 *	was tainted so we dump it as root in mode 2.
+  1481		 */
+  1482		if (mm->dumpable == 2) {	/* Setuid core dump mode */
+  1483			flag = O_EXCL;		/* Stop rewrite attacks */
+  1484			current->fsuid = 0;	/* Dump root private */
+  1485		}
+
+And then filp_open follows with "flag" totally ignored.
+
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ fs/exec.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- linux-2.6.19.orig/fs/exec.c
++++ linux-2.6.19/fs/exec.c
+@@ -1515,7 +1515,8 @@ int do_coredump(long signr, int exit_cod
+ 		ispipe = 1;
+  	} else
+  		file = filp_open(corename,
+-				 O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600);
++				 O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
++				 0600);
+ 	if (IS_ERR(file))
+ 		goto fail_unlock;
+ 	inode = file->f_dentry->d_inode;
diff --git a/queue-2.6.19/series b/queue-2.6.19/series
index 4dbc2b0500a..18ced6356a1 100644
--- a/queue-2.6.19/series
+++ b/queue-2.6.19/series
@@ -14,3 +14,4 @@ netfilter-fix-iptables-compat-hook-validation.patch
 netfilter-bridge-netfilter-deal-with-martians-correctly.patch
 softmac-fix-unbalanced-mutex_lock-unlock-in-ieee80211softmac_wx_set_mlme.patch
 ib-ucm-fix-deadlock-in-cleanup.patch
+do_coredump-and-not-stopping-rewrite-attacks.patch